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Protocol-Level Evasion of 
We^Application Firewalls 


True Evasion Story 


■ Once, a long time ago, I evaded a web application 
firewall by adding a single character to a valid 
request. Can you spot it below? 

GET /myapp/admin.php?userid=1001 HTTP/1.1 
Host: www.example.com. 

User-Agent: Mozilla/5.0 (Windows NT 6.1; W0W64; rv:l3.0) 
Gecko/20100101 Firefox/13.0.1 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip, deflate 
DNT: 1 

Connection: keep-alive 
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True Evasion Story 


I 


o 


■ Once, a long time ago, I evaded a web application 
firewall by adding a single character to a valid 
request. Can you spot it 

GET /myapp/admin.php?usey 
Host: www.example.coQ 

User-Agent: Mozilla/5.0 (Wirib^s NT 6.1; 1aI01aI64; rv:l3.0) 
Gecko/20100101 Firefox/13.0.1 

Accept: text/html,application/xhtml+xml,application/xml;q=0.9 
Accept-Language: en-us,en;q=0.5 
Accept-Encoding: gzip, deflate 
DNT: 1 

Connection: keep-alive 
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Why Do I Care? 



■ Spent years developing WAFs and 
related software: 

- Built ModSecurity (2002-2009) 

- Built libhtp (2009-2010) 

- Now working on IronBee 

(not coding, though) 

■ WAF concepts are powerful, but the 
field needs more research and the 
market needs more transparency 


modsecurity 


libhtp 

^ariRONBEE 

Open Source WAF 
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1 INTRODUCTION TO 
PROTOCOL-LEVEL 
EVASION 
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Impedance Mismatch 


o 


■ Impedance mismatch, in the context of security 
monitoring, refers to the problem of different 
interpretations of the same data stream 

- The security tool sees one thing 

- The backend server sees another 

■ Possible causes: 

- Ambiguous standards 

- Partial and "Works for me" backend implementations 

- "Helpful"developer mentality 

- Insufficient attention by security product developers 
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Protocol-Level Evasion Overview 


■ HTTP 

- Message parsing 

- Request line 

- Request headers 

- Cookies 

■ Hostname 

■ Path 

■ Parameters 

■ Request body 

- Uriencoded 

- Multipart 


Method Path Query string Protocol 
Header name Header value 

SP Header value 

Header name Header value 

Header name Header value 

Request body 
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Protocol-Level Evasion Overview 


■ HTTP 

- Message parsing 

- Request line 

- Request headers 

- Cookies 

■ Hostname 

■ Path 

■ Parameters 

■ Request body 

- Uriencoded 

- Multipart 


Method 

Path 

Query string Protocol 

Header 

name 

Header value 

SP 


Header value 

Header 

name 

Header value 

Header 

name 

Header value 

body 
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Virtual Patching 


o 


■Virtual patching is probably the 
most widely used WAF feature 

1. You know you have a problem 

2. You can't resolve it, or can't resolve it in a timely manner 

3. You deploy a WAF as a short-term mitigation measure 

■ Challenge: 

- To support the narrow focus of virtual patches, WAFs have to 
make a lot of processing decisions 

- The more decision points there are, the easier it is to 
successfully evade detection 
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2 PATH 
EVASION 
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Attacking Patch Activation 


o 


■ An application entry point might look like this: 

/myapp/admin.php?userid=1001 

■ And the virtual patch, using Apache and 
ModSecurity, like this: 

cLocation /myapp/admin.php> 

# Allow only numbers in userid 
SecRule ARCS:userid "!''\d+$" 
</Location> 
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PATH INFO and Path Parameters 


■ Surprisingly, some WAFs* still don't 
know about PATHJNFO: 

/myapp/admin.php/xyz?userid=X 

■ If PATH_INFO is not supported by the 
backend server, you might want to try 
path parameters (e.g., works on Tomcat): 

/myapp/admin.php; random=value?userid=X 


(*) Neither approach works against Apache, because 
it uses Location parameter as prefix. 
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Self-Contained ModSecurity Rules 




Rules written like this are very easy to find: 

SecRule REQUEST_FILENAME 
"chain,phase:2,deny" 


"@streq /myapp/admin.php" 


SecRule ARCS:userid "!'^\d+$" 


■ Problems: 

- The use of @streq misses PATH_INF0 and path parameters attacks 

- Apache may not handle all obfuscation attacks, for example: 

/myapp//admin.php 
/myapp/./admin.php 
/myapp/xyz/../admin.php 
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Self-Contained ModSecurity Rules 




■ Here's a better version of the same patch: 

SecRule REQUEST_FILENAME \ 

"@beginsl\lith /myapp/admin.php" \ 

"chain,phase:2, t:normalizePath, deny" 
SecRule ARCS:userid "r\d+$" 

■ Improvements: 

- Use @beginsWith (@contains is good, too) 

- Use transformation function normalizePath 
to counter path evasion attacks 
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Backend Feature Variations 


o 


■ In a proxy deployment, you have to watch for 
impedance mismatch with various backend 
features: 

/myappXadmin.php 

Zmyapp/AdMiN.php 

■ Using Apache and ModSecurity: 

<Location ~ (?i)''[\x5c/]+myapp[\x5c/]+admin\.php> 
SecRule ARCS:userid "!''\d+$" 

</Location> 
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Backend Feature Variations 


■ o 


■ In a proxy deployment, you have to watch for 
impedance mismatch with various backend 
features: 

/myappXadmin.php 

Zmyapp/AdMiN.php 

■ ModSecurity only: 

SecRule REQUEST_FILENAME \ 

"@beginsWith /myapp/admin.php" \ 

"chain,phase:2, t:lowercase,!:normalizePathWin, deny" 
SecRule ARGS:userid "!''[o-9]+$" 
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Path Parameters Again 


o 


■ Path parameters are actually paf/i segment 
parameters, and can be used with any segment: 

/myapp; param=value/admin .php?userid=X 

■ New patch version: 

cLocation ~ (?i)''[\x5c/]+myapp(;[''\x5c/]*)? 

[ \x5c/] +admin\. php(; [ ''\x5c/ ] *) ?> 

SecRule ARCS:userid "!''\d+$" 

</Location> 

■ ModSecurity needs a new transformation function; could use the 
same pattern as above or reject all path segment parameters 
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Short Filenames on Windows 


o 


■ Windows uses short filenames to support 
legacy applications. For example: 

admin.aspx 

becomes 

ADMIN-l.ASP 

■ Ideal for virtual patch evasion under 
right circumstances: 

- Does not work with IIS 

- But does work with Apache running on Windows 
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Path Evasion against IIS 5.1 


o 


■ IIS 5.1 (and, presumably, earlier) are very 
flexible when it comes to path processing: 

1. Overlong 2- or 3-byte UTF-8 representing either / or \ 

2. In fact, any overlong UTF-8 character facilitates evasion 

3. Best-fit mapping of UTF-8 characters; for example U-i-0107 becomes c 

4. Best-fit mapping of %u-encoded characters 

5. Full-width mapping with UTF-8 encoded characters; for example U-I-FFOF becomes / 

6. Full-width mapping of %u encoding 

7. Terminate path using an encoded NUL byte (%00) 

■ IIS 5.1 and IIS 6 accept %u-encoded slashes 
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Path Handling of Major Platforms 


1 I Test 

IIS 5.1 

IIS 6.0 

IIS 7.0 

IIS 7.5 

IHBZx 

Tomcat 6.x | 

2 Path 00: Baseline test 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

3 Path 01: Supports %HH encoding 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

4 Path 02: Supports %uHHHH encoding 

Yes 

Yes 

Status 400 

Status 400 

Status 400 

Status 400 

5 Path 03: Supports LTTF-O in filenames (encoded) 

No 

Yes 

Yes 

Yes 

Yes (pass-through) Configurable 

6 Path 04: Supports UTF-8 in filenames (bare) 

No 

No 

No 

No 

Yes (pass-through) Configurable 

7 Path 05: Performs best-fit mapping for %u 

Yes 

No (404; logs best Status 400 

Status 400 

Status 400 

Status 400 

8 Path 06: Performs best-fit mapping for bare UTF-8 

Yes 


No 

No 

No 

No 

9 Path 07: Performs best-fit mapping for encoded UTF-8 

Yes 

No 

No 

No 

No 

No 

10 Path 08: Invalid %HH encoding handling 

Preserves % 

Status 400 

Status 400 

Status 400 

Status 400 

Status 400 

11 Path 09: Invalid %uMM encoding handling 


Status 400 

Status 400 

Status 400 

Status 400 

Status 400 

12 Path 10: Valid vs invalid %HH preference (e g., d.txt vs %64.txt) 

Valid 

Valid 

Valid 

Valid 

Valid 

Valid 

13 Path 11: Valid vs invalid %HHHH preference 


Valid 

Status 400 

Status 400 

Status 400 

Status 400 

14 Path 12: NUL byte (encoded) 

Terminates path 

Status 400 

Status 400 

Status 400 

Status 404 

Status 400 

15 Path 13: NUL byte (bare) 

Status 400 

Status 400 

Status 400 

Status 400 

Terminates path 

Status 400 

16 Path 14: Backslash as path segment separator 

Yes 

Yes 

Yes 

Yes 

No 

Status 400 

17 Path 15: Fonivard slash as path segment separator (%u-encoded) 

Yes 

Yes 

Status 400 

Status 400 

Status^00^_^ 

Status 400 

jljPath 16: Fonward slash as path segment separator (URL-encoded) 

Yes 

Yes 

Yes 

Yes 

IStatus 404 [No if e 

Istatus 400 

19 Path 17: Backslash as path segment separator (URL-encoded) 

20 Path 18: Backslash as path segment separator (%u-encoded) 

Yes 

Yes 

Status 400 

Status 400 

Status 400 

Status 400 

Status 400 

21 Path 19: Control characters - encoded 

No effect 

Status 400 

Status 400 

Status 400 

No effect 

No effect 

22 Path 20: Control characters - bare 

No effect 

Status 400 

Status 400 

Status 400 

No effect 

No effect 

23 Path 21: Ovetfong UTF-8 sequences (non-separators) 2-byte sequence - encoded 

Yes 

No 

No 

No 

No 

No 

24 Path 22: Ovetfong UTF-8 sequences (non-separators) 3-byte sequence - encoded 

Yes 

Status 400 

Status 400 

Status 400 

No 


25 Path 23: Ovetfong UTF-8 sequences (non-separators) 4-byte sequence - encoded 

No 

Status 400 

Status 400 

Status 400 

No 


26 Path 24: Ovetfong UTF-8 sequences (non-separators) 2-byte sequence - bare 

Yes 

No 

No 

No 

No 

No 

27 Path 25: Overlong UTF-8 sequences (non-separators) 3-byte sequence - bare 

Yes 

Status 400 

Status 400 

Status 400 

No 


28 Path 26: Ovetfong UTF-8 sequences (non-separators) 4-byte sequence - bare 

No 

Status 400 

Status 400 

Status 400 

No 

No 

29 Path 27: Ovetfong UTF-8 sequences (separators) 2-byte sequence - encoded 

Yes 

No 

No 

No 

No 


30 Path 28: Ovetfong UTF-8 sequences (separators) 3-byte sequence - encoded 

Yes 


No 


No 


31 Path 29: Ovetfong UTF-8 sequences (separators) 4-b^e sequence - encoded 

No 


No 


No 


32 Path 30: Ovetfong UTF-8 sequences (separators) 2-byte sequence - bare 

Yes 


No 

No 

No 


33 Path 31: Ovetfong UTF-8 sequences (separators) 3-b^e sequence - bare 

Yes 



No 



34 Path 32: Ovetfong UTF-8 sequences (separators) 4-byte sequence - bare 

No 


No 

No 

No 

No 

35 Path 33: Fullwidth form mapping from %u encoding 

Yes 

No (404; logs best Status 400 

Status 400 

Status 400 

Status 400 

36 Path 34: Invalid UTF-8 encoding (encoded) 

No effect 

Status 400 

Status 400 

Status 400 

No effect 

No effect 

37 Path 35: Fullwidth form mapping from UTF-8 encoded 

Yes 

No 

No 

No 

No 

No 

38 Path 36: Double URL decoding 

No 

No 

No 


No 

No 

39 Path 37: Unicode normalization 

No 


No 


No 

No 

40 Path 38: Fullwidth form mapping from UTF-8 bare 

Yes 


No 


No 

No 

41 Path 39: Supports PATTfJNFO 

Yes, configurable Yes, configurable Yes, configurable Yes, configurable Yes, configurable 

Yes, configurable 

42 Path 40: Supports path segment parameters 

No 


No 


No 

Yes 

43 Path 41: Supports short filenames on Windows 

No 

No 

No 

No 

Yes 


44 Path 42: Supports Alternate Data Streams (ADS) 

No 

No 

No 

No 

No 

No 
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Path Handling of Major Platforms 


IIS 5.1 


IIS 6.0 


IIS 7.0 


IIS 7.5 


Apache 2.x Tomcat 6.x 


4 Path 02: Supports %uHHHH encoding 

5 Path 03: Supports UTF-8 in filenames (encoded) 

6 Path 04: Supports UTF-8 in filenames (bare) 

7 Path 05: Performs best-fit mapping for %u 

8 Path 06: Performs best-lit mappng for bare UTF-8 

9 Path 07: Performs best-lit mapping for encoded UTF-8 

10 Path 08: Invalid %HH encoding handling 

11 Path 09: Invalid %uMM encoding handling 

12 Path 10: Valid vs invalid %HH preference (e g., d.txt vs %64.txt) 

13 Path 11: Valid vs invalid %HHHH preference 

14 Path 12: NUL byte (encoded) 

15 Path 13: NUL byte (bare) 

16 Path 14: Backslash as path segment separator 

17 Path 15: Fonivard slash as path segment separator (%u-encoded) 
IFIPath 16: Forarard slash as path segment separator (URL-encoded) 

(URL-encoded) 



uences (separators) 2-byte sequence 
uences (separators) 3-byte sequence 
lences (separators) 4-byte sequence 

32 Path 30: Overlong UTF-8 sequences (separators) 2-byte sequence 

33 Path 31: Overlong UTF-8 sequences (separators) 3-b^e sequence 

34 Path 32: Overlong UTF-8 sequences (separators) 4-byte sequence 

35 Path 33: Fullwidth form mapping from %u encoding 

36 Path 34: Invalid UTF-8 encoding (encoded) 

37 Path 35: Fullwidth form mapping from UTF-8 encoded 

38 Path 36: Double URL decoding 

39 Path 37: Unicode normalization 

40 Path 38: Fullwidth form mapping from LnT-8 bare 

41 Path 39: Supports PATTfJNFO 

42 Path 40: Supports path segment parameters 

43 Path 41: Supports short filenames on Windows 

44 Path 42: Supports Alternate Data Streams (ADS) 


Yes Status 400 Status 400 Status 400 Status 400 

Yes Yes Yes Yes (pass-through) Configurable 

No No No Yes (pass-through) Configurable 

_No f404 Inns best Status 400_Status 400_Status 400_Status 400 


1 

Test 

2 

Path 

00: 

3 

Path 

01: 

4 

Path 

02: 

5 

Path 

03: 

6 

Path 

04: 

7 

Path 

05: 

8 

Path 

06: 

r 9 

Path 

07: 

: 10 

Path 

08: 

; 11 

Path 

09: 

n 12 

Path 

10: 

: 13 

Path 

11: 

: 14 

Path 

12: 

15 

Path 

13: 

’ 16 

Path 

14: 

17 

Path 

15: 

31 

]Path 

16: 


rfn n-ti. n--i— 1 ». 


Baseline test 
Supports %HH encoding 
Supports %uHHHH encoding 
Supports UTF-S in filenames (encoded) 

Supports LTTF-S in filenames (bare) 

Performs best-fit mapping for %u 

Performs best-fit mapping for bare UTF-8 

Performs best-fit mapping for encoded UTF-8 

Invalid %HH encoding handling 

Invalid %uHH encoding handling 

Valid vs invalid %HH preference (e g., d.txt vs %64.txt) 

Valid vs invalid %HHHH preference 

NUL byte (encoded) 

NUL byte (bare) 

Backslash as path segment separator 

Forward slash as path segment separator (%u-encoded) 

Forward slash as path segment separator (URL-encoded) 


Yes, configurable Yes, configurable Yes, configurable Yes, configurable Yes, configurable Yes, configurable 
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3 PARAMETER 

EVASION 
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Parameter Cardinality and Case 




■ In the simplest case, supplying multiple parameters or 
varying the case of parameter names may work; 

/myapp/admin. php?userid=l8iuserid=2 
/myapp/admin. php?uSeRiD=l8iuserid=2 


■ However, these techniques are more likely to work 
against custom-coded defenses; WAFs will have 
caught up by now. 
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PHP's Cookies as Parameters 




■ PHP can be configured to treat cookies as parameters, 
and place them in the $_REQUEST array: 

GET /myapp/admin.php 
Cookie: userid=X 

■ This is still the default behaviour in the code, with an 
override in the default php.ini (which can easily be 
misconfigured). 
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HTTP Parameter Pollution 


o 


■ Depending on the backend and the code used, the WAF 
may not know exactly that the application sees: 

/myapp/admin. php?userid=l8iuserid=2 


Technology 

Behaviour 

Result 

ASP 

Concatenate 

userid=l,2 

PHP 

Last occurrence 

userid=2 

Java 

First occurrence 

userid=l 


A better overview is available in 
the HTTP Parameter Pollution slides. 
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Tricks with PHP Parameter 
Names 


o 


■ PHP will change parameter names when they 
contain some characters it does not like: 

- Whitespace at the beginning is removed 

- Whitespace, dot, and open bracket characters 
in the middle converted to underscores 

/myapp/admin. php?+userid=X 
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Invalid URL Encoding 


o 


■ Different platforms react differently to invalid encoding. 

■ ASP removes a % character that is not 
followed by 2 hexadecimal digits: 

/myapp/admin. php?user%id=X 

■ In the old days, many C-based applications had incorrect 
decoding routines, which lacked error detection. 

/myapp/admin. php?user%}9d=X 
/myapp/admin. php?user%69d=X 
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Content Type Evasion 


o 


■ When parameters are transported in request body, you 
can attack the encoding detection mechanism 

- Attack applications that hard-code processing: 

■ Omit the Content-Type request header 

■ Place an arbitrary value in it 

■ Use multipart/torm-data, and craft the request body to be a valid 
multipart payload (the app will still parse as Uriencoded) 

- Attack apps with lax content type detection: 

■ For example, Apache Commons FileUpload accepts any MIME 
type that begins with multipart/ as multipart/torm-data 

- Use less common formats, such as JSON 

- Use a different transport, for example WebSockets 
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ModSecurity Bypass 


o 


■ By default, ModSecurity ignores unknown MIME types 

- With Apache Commons FileUpload, send a request 
body with multipart/whatever MIME type 

- Request bodies using encodings other than 
Uriencoded and Multipart are completely ignored 

■ Possible improvements to ModSecurity: 

- Fail closed upon detecting unknown MIME type 

- Inspect all request bodies as a stream of bytes 
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4 MULTIPART 
EVASION 
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Multipart Format Overview 


b O 


POST / HTTP/1.0 
Content-Type: Imultipart/form-dataj boundary 40000| 
Host: www.example.com 
Content-Length: 10269 




i--oooor _ 

Content-Disposition: form-data; |name= 




|Dohn Smith [ 

--0000 

Content-Disposition: form-data; name="email" 


John.smith@example.com 
--0000 _ 


Content-Disposition: 

form-data; name="image"; filename="image.jpg" 

Content-Type: image/ 

jpeg 


FILE CONTENTS REMOVED 
-- 0000 -- 
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Apache Commons FileUpload 


■ Define constant for later use: 
pub lic static final String _ 

l\ ^ULTIPART = "multipart/"; 


Determine if Multipart request body is present: 

if (c ontentTvpe.toLowerCase Q. 

s |tartsWith(MULTIPART^ { 

return true; 

} 
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ModSecurity CRS Bypass 


■ ModSecurity Core Rules will attempt to restrict 
MIME types, but not always successfully: 


- With Apache Com mons FileUplo ad, send a 
request body with multipart/ MIME type. 

- Reported as fixed in CRS 2.2.5. 


■ The flaw was in this rule, where the 
check was not strict enough: 


SecRule REQUEST_CONTENT_TYPE "!@within \ 
application/x-www-form-urlencoded \ 


multipart/f arm-data" 


O 
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Content-Type Evasion 


o 


■ Trick the WAF into not seeing a Multipart request body 

■ Examples: 

Content-Type: multipart/form-data ; boundary=0000 
Content-Type: mUltiPart/ForM-dATa; boundary=0000 
Content-Type: multipart/form-dataX; boundary=0000 
Content-Type: multipart/form-data, boundary=0000 
Content-Type: multipart/form-data boundary=0000 
Content-Type: multipart/whatever; boundary=0000 
Content-Type: multipart/; boundary=0000 

ModSecurity with Apache Commons FileUpload bypass 
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PHP Source Code 



o 


boundary ^^trstr(content_type, "boundary"); 

if (Iboundary) { 


^Lowercase header and try again */ 


if (Iboundary II A _ 

!(boundary = stt jdir(boundary, '='))) { 
/* Return with error */ 

} 
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Boundary Evasion 


o 


■ Trick the WAF into seeing a different boundary 

■ Examples: 

Content-Type: multipart/form-data; 

boundary =0000; boundary=llll 
Content-Type: multipart/form-data; 
boundaryX=0000; boundary=llll 

Content-Type: multipart/form-data; 

boundary=0000; boundary=llll 
Content-Type: multipart/form-data; 

boundary=0000; B0UNDARY=1111 _ 

Content-Type: multipart/form-data; 
boundary=0000'llll 


Stefan Esser in 
2009 to have 
worked against F5 


0 Qualys 


35 


BLACK HAT USA 2012 






Part Evasion 


o 


■ Boundary evasion leads to part evasion, but even when 
you get the boundary right you can still miss things 

■ In 2009, Stefan Esser reported that PHP continues to 
process the parts that appear after the "last" part 

--0000 

Content-Disposition: form-data; name="name" 

John Smith 

-- 0000 -- - 

Content-Disposition: form-data; name="name" 

ATTACK 

--0000 
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Parameter Name Evasion 



■ Focuses on differences in parameter name parsing. 

■ Example attacks: 

Content-Disposition: form-data; name="nl"; name="n2" 
Content-Disposition: form-data; name="nl"; name ="n2" 


Content-Disposition: form-data; 


name="nl" 

name="n2" 

name="nl" 

name ="n2" 
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Parameter Type Evasion 


o 


■ WAFs may treat files differently. For example: 

- ModSecurity has different inspection controls for files 

- No file inspection in the CRS 

■ ModSecurity bypass reported by Stefan Esser in 2009 

- Thought to have been fixed (I was not involved) 

- Stefan's original payload below 

Content-Disposition: form-data; 
name=';filename="';name=payload;" 
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Parameter Type Evasion 


o 


■This is what ModSecurity saw: 

Content-Disposition: form-data; 
name=';filename=" ';name=payload;" 

u t_- __I 

name filename 


■This is what PHP sees: 

Content-Disposition: form-data; 
name=' ;filename=" ' ;name=payloadj" 

name (ignored) name 
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Parameter Type Evasion 


o 


■ Flaw thought to have been fixed 

■ I rediscovered the problem during my evasion research 

■ The original problem had been 
misunderstood and addressed incorrectly: 

■ ModSecurity added support for single 
quotes in parameter values 

■ PHP supports single-quote escaping 

anywhere within the C-D header 

■ New ModSecurity bypass* with only 1 extra character: 

Content-Disposition: form-data; 
namej:x'fctilename=" ' ;name=payload;" 

(*) Reported to have been addressed in ModSecurity 2.6.6 
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Multipart Evasion Summary 


o 


■ Complex and vaguely specified format 

■ Implementations are often: 

- Quick & dirty (whatever works) 

- Focused on real-life use cases (not the specification) 

■ Rife opportunities for evasion 

■ There are 37 tests available in the 
repository 

- Tested against ModSecurity and PHP 

- Testing of the major platforms 
will follow soon 
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5 WHAT 

NEXT? 
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Future Work 


o 


■ At this time: 

- Path handling has good coverage (tests + results) 

- Parameter handling and multipart test cases in good shape 

■ Need to test major platforms 

■ Future activity 

- Complete other areas of protocol-level evasion 

■ HTTP parsing 

■ Character set issues 

■ Hostname evasion 

- Document all techniques in the Evasion Techniques Catalogue 
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Where to Go From Here 


o 


■ More information in the 
accompanying whitepaper 

■ Get the tools and docs from GitHub: 
https://github.com/ironbee/waf-research 

- Path handling research 

- Baseline, path, and multipart test cases 

■ Test your security products 

■ Contribute your results 


>100 

TESTS 
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Thank You 

Ivan Ristic 

iristic@qualys.com 
Twitter: @ivanristic 


How to Write a Good Virtual Patch 




■ Take these steps to write a good virtual patch: 

1. Study the problem, ideally by reading source code 

■ If the source code is not available, do what you can by analyzing the 
advisory, the exploit, and by attacking the application 

2. Use a path that can withstand evasion attempts 

3. Enumerate all parameters 

4. For each parameter 

1. Determine how many times it can appear in request 

2. Determine what it is allowed to contain 

5. Reject requests with unknown parameters 

■ Outside the patch, enforce strict configuration 
that does not allow requests with anomalies 
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Baseline Tests 


o 


■ In the repository, there is a set of baseline tests designed 
to determine if all parts of a HTTP requests are inspected 
by a WAF 

■ Instructions: 

1. Find one payload that is blocked by the WAF 

2. Submit payload in every different logical location 

3. Determine locations that are 
not monitored 

4. Seek ways to exploit the 
application in that way 
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Why Should You Care? 


■ Researchers: 

- Fascinating new data, and effort to systematically and 
collaboratively analyse how WAFs perform in this area 

■ Testers (breakers): 

- Lots of practical assessment techniques 

■ Defenders: 

- Lots of practical information about Apache and ModSecurity 

- A better picture of the true state of your defences 
(and an opportunity to tell your vendor how much you care) 

■ Vendors: 

- Good reason to allocate more funds to the core functionality 
of your WAF, leading to a better product 


o 
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Donald Knuth on Email 


o 



"Email is a wonderful thing for 
people whose role in life is to 
be on top of things. But not for 

me; my role is to be on the 
bottom of things. " 
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Previous Work 


o 


■ A look at whisker's anti-IDS tactics 

Rain Forest Puppy (1999) 

■ Bypassing Content Filtering Software 

3APA3A (2002) 

■ HTTP IDS Evasions Revisited 

Daniel J. Roelker (2003) 

■ Snort's README.httpJnspect 

Sourcefire et a I (2005) 

■ Shocking News in PHP Exploitation 

Stefan Esser (2009) 

■ HTTP Parameter Pollution 

Luca Carettoni and Stefano di Paola (2009) 
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About Ivan Ristic 


o 


Ivan is a compulsive developer, 
application security researcher, writer, 
publisher, and entrepreneur. 


modsecurity 


■ Apache Security, 

O'Reilly (2005) 

■ ModSecurity, open source 
web application firewall 

■ SSL Labs, SSL/TLS, 
and PKI research 

■ Modsecurity Handbook, 

Feisty Duck (2010) 

■ IronBee, a next-generation open 
source web application firewall 
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